Introduction

This chapter helps the reader prepare for the security-management domain.
Security management addresses the identification of the organization’s
information assets. The security-management domain also introduces some critical
documents, such as policies, procedures, and guidelines. These documents are of
great importance because they spell out how the organization manages its
security practices and details what is most important to the organization.

These documents are not developed in a void. Senior management helps point
out the general direction, and risk-assessment and risk-analysis activities are
used to determine where protective mechanisms should be placed. This chapter
also introduces the two ways to calculate risk: qualitatively and
quantitatively.

Finally, it’s important to not forget the employees. Employees need to
be trained on what good security is and what they can do to ensure that good
security is always practiced in the workplace. The goal here, as in other
domains, is to ensure confidentiality, integrity, and availability of the
organization’s assets and information. This chapter divides
security-management practices into five broad categories:

Risk assessment

Policy

Implementation

Training and education

Auditing the security infrastructure

Before we jump into these topics and look at the ways in which informational
assets are protected, let’s talk briefly about the risks of poor security
management and the role of confidentiality, integrity, and availability.